Security researchers say they've found a conclusive link between the Flame espionage malware and Stuxnet, the powerful cyberweapon that US and Israeli officials recently confirmed they designed to sabotage Iran's nuclear program.

An early version of Stuxnet dating back to 2009 contained executable code that targeted what was then an unknown security flaw in Microsoft Windows, a discovery that brings the number of zero-day vulnerabilities exploited by the malware to at least five, researchers from Kaspersky Lab said Monday morning. Even more significantly, they discovered that a small chunk of code found in the Stuxnet.A (1.0) variant contained some of the contents of today's Flame. In addition to unearthing previously overlooked data about how Stuxnet hijacked targeted networks, the discovery is important because it establishes the first positive connection between the developers of Stuxnet and those behind Flame, which came to light two weeks ago as a highly sophisticated espionage platform that targeted computers in Iran and other Middle Eastern countries.

"The fact that the Flame group shared their source code, their intellectual property, with the Stuxnet group proves that there is an actual link," Roel Schouwenberg , a senior researcher at Kaspersky Lab, said during an online press conference. "They actually cooperated at least once. That's, I think, huge news. It confirms our beliefs we've had all along, that the Flame operation and the Stuxnet operation were two parallel projects fashioned by the same entities."

The Flame code was found in a platform component that was included in earlier versions of Stuxnet that were collected in 2009, Kaspersky researchers wrote in a blog post published Monday. The component, referred to as "resource 207," contained a portable executable file that was likely added to Stuxnet early on while it was still fledgling. The code was removed from later versions of Stuxnet, once that malware was able to achieve the same capabilities using different components.

"We firmly believe that the Flame platform predates the Stuxnet platform," Schouwenberg continued. "It kind of looks like the Flame platform was used as a kick-starter of sorts to get the Stuxnet project going. After 2009, this resource 207 was actually removed from Stuxnet, and the Flame operation and the Stuxnet operation each went their separate ways. Maybe this was because the Stuxnet code was now mature enough to be deployed in the wild."

Schouwenberg said the common code shared between the two malware families has gone unnoticed until now because researchers have analyzed later versions of Stuxnet that no longer included it.

The research suggesting that Flame is a precursor to Stuxnet and was sponsored by the same wealthy source is consistent with what is already known about the two pieces of malware. Stuxnet pinpointed specific nuclear facilities in Iran and infiltrated them with software that caused their uranium centrifuges to malfunction while reporting back to engineers that all equipment was working normally. Before the Stuxnet developers could execute such a technologically advanced surgical strike, they almost certainly needed espionage malware that gathered detailed data about the makeup of the plants and the equipment they used.

Some of the Flame code included in resource 207 contained a "special trick" to infect USB drives by manipulating the "autorun.inf" configuration file used to automatically launch applications when they're inserted into Windows PCs. It also contains code that exploits a privilege-escalation vulnerability designated as MS09-025. Microsoft didn't release an update patching the bug until June of 2009. That means the attack in the early version of Stuxnet was a zero-day vulnerability at the time. Until now, researchers knew Stuxnet exploited four such vulnerabilities. Kaspersky's discovery brings that number to five.

Clues that Stuxnet contained Flame code has been in researchers' logs since at least October 2010, when automated systems at Kaspersky received a malware sample and labeled it as Stuxnet. Researchers later dropped the attribution and renamed the malware as Tocy.a after failing to find any connection to Stuxnet.

"Checking the logs, we discovered that the Tocy.a, an early module of Flame, was actually similar to 'resource 207' from Stuxnet," Kaspersky Lab Expert Alexander Gostev wrote in Monday's blog post. "It was actually so similar, that it made our automatic system classify it as Stuxnet. Practically, Tocy.a was similar to Stuxnet alone and to no other sample from our collection."

During Monday's conference, researchers also independently confirmed findings first published last week that an attack that hijacked Microsoft's Windows Update mechanism deployed a novel "collision" attack on the MD5 algorithm not seen by cryptographers before.

"This was a completely new collision attack," Schouwenberg said. "What makes it more interesting is if it truly dates back to [2009], that means this collision attack was done before any public documentation on this matter, and that really shows these are world-class cryptographic experts involved."

Story updated to correct size of the chunk of code borrowed from Flame.

Promoted Comments

Now if only Kaspersky could find such an advance virus "in the wild" and not have it spoon fed the virus infected computer from the UN.

that brings me to the second point. If you were said Nation-state investing millions of dollars and Beyond known limit cartographic work on real world working software, why wouldn't you nudge the UN not to hand over computers coming from the Middle east to the Russians to analyse for virus.

Last but certainly not least, i wanted to thank the Author Dan Goodin, for a superb and well written piece. I had read the Reuters piece earlier this morning, and you can tell the author was either purposely dumb'ing the news down or clearly didn't know anything about it. You Mr. Goodin on the other hand wrote perfectly into the Ars Audience and clearly stated all the updated news around the subject in a clear and concise manner, with out leaving out technical details.

The public is finally getting to see some of the stuff that goes on behind-the-scenes in the security world. The firm that developed both Stuxnet and Flame is undoubtedly comprised of some of the top persons in their fields.

If both Stuxnet and Flame have been around for the period described in the article, that means there are already other tools in-play by the same creators. Just like any malware is deprecated upon its first detection, so are cyberwarfare tools like Flame and Stuxnet.

Now if only Kaspersky could find such an advance virus "in the wild" and not have it spoon fed the virus infected computer from the UN.

that brings me to the second point. If you were said Nation-state investing millions of dollars and Beyond known limit cartographic work on real world working software, why wouldn't you nudge the UN not to hand over computers coming from the Middle east to the Russians to analyse for virus.

Last but certainly not least, i wanted to thank the Author Dan Goodin, for a superb and well written piece. I had read the Reuters piece earlier this morning, and you can tell the author was either purposely dumb'ing the news down or clearly didn't know anything about it. You Mr. Goodin on the other hand wrote perfectly into the Ars Audience and clearly stated all the updated news around the subject in a clear and concise manner, with out leaving out technical details.

Now if only Kaspersky could find such an advance virus "in the wild" and not have it spoon fed the virus infected computer from the UN.

that brings me to the second point. If you were said Nation-state investing millions of dollars and Beyond known limit cartographic work on real world working software, why wouldn't you nudge the UN not to hand over computers coming from the Middle east to the Russians to analyse for virus.

Last but certainly not least, i wanted to thank the Author Dan Goodin, for a superb and well written piece. I had read the Reuters piece earlier this morning, and you can tell the author was either purposely dumb'ing the news down or clearly didn't know anything about it. You Mr. Goodin on the other hand wrote perfectly into the Ars Audience and clearly stated all the updated news around the subject in a clear and concise manner, with out leaving out technical details.

What a surprise, the same US/Israeli, I mean unknown team, is behind both?! /sarcasm

I am not usually one for FUD, but I do feel a *bit* safer knowing that we have successfully hampered Iran's nuclear program. No reasonable person could honestly think they are doing it just for the "energy".

What a surprise, the same US/Israeli, I mean unknown team, is behind both?! /sarcasm

I am not usually one for FUD, but I do feel a *bit* safer knowing that we have successfully hampered Iran's nuclear program. No reasonable person could honestly think they are doing it just for the "energy".

I would need a reason beyond a gut feeling tainted by US Intelligence and shorts from MSNBC and Fox News.My Commander in Chief had me and my wife dredging sand for WMD in Iraq. Years separated from one another. Births and funerals missed. Injuries. I won't complain too much because we both reenlisted to serve. But to be honest, I trust none of the information being fed to me by the MSM nor our Government. Show me a nuke. or a satellite picture of a nuke. or something. otherwise, GTFO with that FUD.

Now if only Kaspersky could find such an advance virus "in the wild" and not have it spoon fed the virus infected computer from the UN.

that brings me to the second point. If you were said Nation-state investing millions of dollars and Beyond known limit cartographic work on real world working software, why wouldn't you nudge the UN not to hand over computers coming from the Middle east to the Russians to analyse for virus.

Last but certainly not least, i wanted to thank the Author Dan Goodin, for a superb and well written piece. I had read the Reuters piece earlier this morning, and you can tell the author was either purposely dumb'ing the news down or clearly didn't know anything about it. You Mr. Goodin on the other hand wrote perfectly into the Ars Audience and clearly stated all the updated news around the subject in a clear and concise manner, with out leaving out technical details.

edit: and added pretty pictures that were useful to the article!

Kaspersky may be a Russian firm, but at somepoint you need to look around and simply determine who you trust to do the analysis. Would YOU trust an American AV company to check this out when you may have concerns about where it came from? Regardless of nationality, Kaspersky produces a decent product that works and that is what counts.

I wouldn't be at all surprised if they also programmed this thing to instruct Windows to troll through WiFi networks that are in range and try to connect/spread through them when the computer is idle. Potentially even to the point of instructing Windows to re-enable Wireless devices when they have been disabled through device manager or the network properties in order to do so.

I would need a reason beyond a gut feeling tainted by US Intelligence and shorts from MSNBC and Fox News.My Commander in Chief had me and my wife dredging sand for WMD in Iraq. Years separated from one another. Births and funerals missed. Injuries. I won't complain too much because we both reenlisted to serve. But to be honest, I trust none of the information being fed to me by the MSM nor our Government. Show me a nuke. or a satellite picture of a nuke. or something. otherwise, GTFO with that FUD.

Is it at all possible that the people who make the decisions really were convinced that the evidence was pointing to WMD in Iraq? Hindsight is 20/20 after all. And just in case anyone is confused, I was against the Iraq war regardless of whether they had WMD. Also, why would you reenlist when you don't trust the decisions made by those who see you as a pawn in their international exploits? I didn't enlist in the first place because I have no interest in participating in their games. Unless we end up in a clear-cut good vs. evil scenario (such as WWII) or we are directly defending our home soil from attack, I don't ever intend on fighting in any wars.

I would need a reason beyond a gut feeling tainted by US Intelligence and shorts from MSNBC and Fox News.My Commander in Chief had me and my wife dredging sand for WMD in Iraq. Years separated from one another. Births and funerals missed. Injuries. I won't complain too much because we both reenlisted to serve. But to be honest, I trust none of the information being fed to me by the MSM nor our Government. Show me a nuke. or a satellite picture of a nuke. or something. otherwise, GTFO with that FUD.

Is it at all possible that the people who make the decisions really were convinced that the evidence was pointing to WMD in Iraq? Hindsight is 20/20 after all. And just in case anyone is confused, I was against the Iraq war regardless of whether they had WMD. Also, why would you reenlist when you don't trust the decisions made by those who see you as a pawn in their international exploits? I didn't enlist in the first place because I have no interest in participating in their games. Unless we end up in a clear-cut good vs. evil scenario (such as WWII) or we are directly defending our home soil from attack, I don't ever intend on fighting in any wars.

EDIT: Grammar only

Smart man, but got the quote authors mixed up. Fighting for a cause has always been more honorable than fighting for your country.

As much as the middle east hates the US, most of them hate Israel more. I am more worried for them than us at this point.....(keeping in mind Israel has nuclear weapons too....)

Nukes being why you don' need to worry too much about Israel's safety. Nobody's going to try to roll tanks over the Israeli border and if anyone actually lands a nuke in that country, the attacking country will probably cease to exist. Israel is rumored to have about 200 nuclear bombs and a handful of ballistic launchers that could reach all of Europe, Asia, Africa and most of North America.

As much as the middle east hates the US, most of them hate Israel more. I am more worried for them than us at this point.....(keeping in mind Israel has nuclear weapons too....)

Ah, they hate the US banner. I wonder why that is? Perhaps a history of western hypocrisy and double standards can be added to that discussion.

Americans believe what they're told but they're never asked to think or to challenge the status quo. How many understand the history between the US and Iran that starts with a coup in 1953. With the toppling by the US – at British incitement – of Mohammed Mossadegh. The then Iranian prime minister’s embrace of economic modernisation and social reform promised a shining model for the region. He made the mistake of thinking Iran rather than Britain should own its oil industry. Which then led to a brutal dictator propped up by the west which then led to the revolution.

Blowback is a bitch. Now just imagine if you were the United States in that situation, instead of Iran. How would we feel if the roles were reversed and another nation meddled on that level? I imagine it would leave a bad taste in ones mouth for some time at the very least.

It's a whole lot of do as I say not as I do and then they wonder why do they hate us? It's not for our freedom and democracy (says who) that's for sure.

Americans believe what they're told but they're never asked to think or to challenge the status quo.

Generalize much? I'm American and I magically know about this plus many more. We empowered Saddam to fight Iran, we empowered the Taliban to fight Russia, and we currently empower Pakistan to constantly stab us in the back.

Americans believe what they're told but they're never asked to think or to challenge the status quo.

Generalize much? I'm American and I magically know about this plus many more. We empowered Saddam to fight Iran, we empowered the Taliban to fight Russia, and we currently empower Pakistan to constantly stab us in the back.

And it's only the US that does stuff like this. Europe would never stoop to practices like that. NEVER! We support democracies like Zaire back then and, well, Persia. Iraq may have had a bunch of European hardware but that was to defend democracy... I think...

Personally I find any acts against Irans nuclear program sheer stupidity on behalf of other countries. They are not anymore dangerous then every other country that has nuclear weapons.

How would you feel if countries around you had nuclear technology but not you. It is a power struggle only and Israel and the States do not want to be on more of an equal plane. That is my opinion anyway!

As much as the middle east hates the US, most of them hate Israel more. I am more worried for them than us at this point.....(keeping in mind Israel has nuclear weapons too....)

Ah, they hate the US banner. I wonder why that is? Perhaps a history of western hypocrisy and double standards can be added to that discussion.

Americans believe what they're told but they're never asked to think or to challenge the status quo. How many understand the history between the US and Iran that starts with a coup in 1953. With the toppling by the US – at British incitement – of Mohammed Mossadegh. The then Iranian prime minister’s embrace of economic modernisation and social reform promised a shining model for the region. He made the mistake of thinking Iran rather than Britain should own its oil industry. Which then led to a brutal dictator propped up by the west which then led to the revolution.

Blowback is a bitch. Now just imagine if you were the United States in that situation, instead of Iran. How would we feel if the roles were reversed and another nation meddled on that level? I imagine it would leave a bad taste in ones mouth for some time at the very least.

It's a whole lot of do as I say not as I do and then they wonder why do they hate us? It's not for our freedom and democracy (says who) that's for sure.

I don't dispute that the US has done these things... we have. But let's stop making it sound like the US is the only one to do this throughout history (the technical aspects notwithstanding). Every "world power" has meddled to some extent - the British, the Spanish, the French, the Persians (Iran), the Ottomans, and on and on.

Is it right? No idea. I just know it's how things are done for the past... oh... few thousand years.

Look, if there's 1 thing I've learned about watching the Israeli people over the last 20 years or so. They don't play games. That nation is like an angry porcupine when it needs to defend itself, you best believe its going to. It has no choice, the people around it want it eradicated completely.

If I was gonna choose someone to piss off, it would not be them. I firmly think they'd launch a nuke on your ass before the U.S. would, hands down. We're too worried about the political backlash of such a thing. Israel? I don't think they could give 2 shits about what the world thinks of them, they know they're already hated in the region, so go ahead keep poking the badger, its pretty obvious its got financial backing and a sea of IP behind it.

Eventually the Middle East will collapse upon itself, but it will be with continued, planned covertly organized uprisings like we seen recently. It won't play out on the front page, it'll be buried deep, and come forward from there. It won't be pretty, but it will be life altering. Flame and Stuxnet are just one of the many weapons in play. If it took 4 years to find that. Whats out there today, being developed now, will make that look like a joke I think.

if Flame was out in the wild earlier than Stuxnet.. how come it was detected later?

FTA:

Quote:

"We firmly believe that the Flame platform predates the Stuxnet platform," Schouwenberg continued. "It kind of looks like the Flame platform was used as a kick-starter of sorts to get the Stuxnet project going. After 2009, this resource 207 was actually removed from Stuxnet, and the Flame operation and the Stuxnet operation each went their separate ways. Maybe this was because the Stuxnet code was now mature enough to be deployed in the wild."

Presumably, Stuxnet was ready first, and released. Flame was ready later, then released.

Look, if there's 1 thing I've learned about watching the Israeli people over the last 20 years or so. They don't play games. That nation is like an angry porcupine when it needs to defend itself, you best believe its going to. It has no choice, the people around it want it eradicated completely.

If I was gonna choose someone to piss off, it would not be them. I firmly think they'd launch a nuke on your ass before the U.S. would, hands down. We're too worried about the political backlash of such a thing. Israel? I don't think they could give 2 shits about what the world thinks of them, they know they're already hated in the region, so go ahead keep poking the badger, its pretty obvious its got financial backing and a sea of IP behind it.

Eventually the Middle East will collapse upon itself, but it will be with continued, planned covertly organized uprisings like we seen recently. It won't play out on the front page, it'll be buried deep, and come forward from there. It won't be pretty, but it will be life altering. Flame and Stuxnet are just one of the many weapons in play. If it took 4 years to find that. Whats out there today, being developed now, will make that look like a joke I think.

This ++Israel has stopped caring what the UN or anyone else has to say about them - pretty much anything they do is vilified or misreported, even though they have and continue to do more good to the Palestinians than any other Arab nation. Most of the Middle East see the Palestinians as second class refugees, but a convenient scapegoat to rail at Israel.

I doubt though they'd go as far as a nuclear strike, precision bombing or infantry insertion seems more likely, but I doubt it would come to that. For now it's malware and bombings from Gaza and Lebanon - Iran's proxies.

What a surprise, the same US/Israeli, I mean unknown team, is behind both?! /sarcasm

I am not usually one for FUD, but I do feel a *bit* safer knowing that we have successfully hampered Iran's nuclear program. No reasonable person could honestly think they are doing it just for the "energy".

Hey Sgt Fruitcake. Who cares what they are doing with their nuclear program. How does Iran's nuclear program affect you in the slightest you intellectually feeble drone? As Demonicume so succinctly put it, GTFO with that FUD rubbish.

That's the problem with you Americans. You buy into the bullshit, roll around in it gleefully until you are covered head to toe and are left powerless to smell the roses because you are so accustomed to the stench of the aforementioned bullshit. And then cry foul when such a truth is pointed out to you, despite it staring you in your face.

TBH I couldn't give a rats if Iran wants to nuke Israel, IMO Israel and America deserve all the hate they get from the rest of the "civilised world". This goes double for Israel and their vested interest in perpetuating the troubles in the Middle East.

Getting back to the article at hand, I am enjoying following this particular issue, it does more to reinforce the belief that while the powers that be pronounce their visions of a "Free and Democratic World" to all and sundry, they really want to ensure a world where no-one is "free" from their prying eyes.

As Thunder005 put it, you wrote a well aimed piece which has, and rightfully so, been well received by the ARS audience. Cheers Dan.

I wonder if this will be censored due to the "anti-America/Israel" sentiments contained herein...

I wonder if this will be censored due to the "anti-America/Israel" sentiments contained herein...

No dude, that's not why your comment will be censored. We like debate here, and can handle challenging ideas. However, when you call someone "Sgt Fruitcake" and an "intellectually feeble drone" you are violating the posting guidelines.

What I find interesting about this story, and others like it, is the fact that these are the only 2 viruses currently known to be nation-state funded. The thing I haven't seen discussed much is the fact that cyberwar programs have not shut down in the interim.

If Flame took as long as it did to be discovered, what else is out there that we just haven't seen yet?

Sounds like researches are comparing computervirus fossils to their present day descendants.

As to the US being the good guys... I'm sure they're using it not just against Middle Eastern theocracies. What's stopping them from targeting anyone else? Good manners?

Probably the ROI. In this case, the target was likely important enough to warrant the price tag. So anyone else would need to top nuclear ambitions in Iran in order to require Flame v. 2.0 or something like that.

What a surprise, the same US/Israeli, I mean unknown team, is behind both?! /sarcasm

I am not usually one for FUD, but I do feel a *bit* safer knowing that we have successfully hampered Iran's nuclear program. No reasonable person could honestly think they are doing it just for the "energy".

You do realize Iran is only a bad guy cause the US government says so, right? Just like they said Suddam was, AFTER he served his original purpose for being brought to power BY THE US!!!! Just like the Shah in Iran was BROUGHT TO POWER BY THE US.

from Wikipedia "The 1953 Iranian coup d'état (known in Iran as the 28 Mordad coup[3]) was the overthrow of the democratically elected government of Iran Prime Minister Mohammad Mosaddegh on 19 August 1953, orchestrated by the intelligence agencies of the United Kingdom and the United States under the name TPAJAX Project.[4"

What a surprise, the same US/Israeli, I mean unknown team, is behind both?! /sarcasm

I am not usually one for FUD, but I do feel a *bit* safer knowing that we have successfully hampered Iran's nuclear program. No reasonable person could honestly think they are doing it just for the "energy".

You do realize Iran is only a bad guy cause the US government says so, right? Just like they said Suddam was, AFTER he served his original purpose for being brought to power BY THE US!!!! Just like the Shah in Iran was BROUGHT TO POWER BY THE US.

from Wikipedia "The 1953 Iranian coup d'état (known in Iran as the 28 Mordad coup[3]) was the overthrow of the democratically elected government of Iran Prime Minister Mohammad Mosaddegh on 19 August 1953, orchestrated by the intelligence agencies of the United Kingdom and the United States under the name TPAJAX Project.[4"